Payment card dumps on dark web indicate compromise at Meezan Bank — researchers

In October, 2015,  The Daily Times reported:

The State Bank of Pakistan (SBP) has directed the banks to report in details about all established security breaches, its analysis and its designated payment systems department, on quarterly basis to explain the impact of security breaches on institution’s business, systems, applications and customers.

The directives were issued in the SBP “Regulations for the Security of Internet Banking” to provide the banks a minimum set of operational, administrative, technical and physical safeguards to secure Internet banking offered by the banks in Pakistan.

That news report is no longer available on the news outlet’s site,  but the regulations are available here.

Over the past few months,  there have been reports suggesting significant payment card breaches involving Pakistani financial institutions.  In November, 2018,  20,000 payment cards were reportedly found for sale on the dark web in two dumps in October. Bank Islami was one of the banks implicated in the rash of payment card compromise,  but in February,  Group 1B named Meezan Bank as also having possibly been compromised after 70,000 more cards showed up for sale on the dark web.

Now Gemini Advisory has added to the research.  In a report released today, Stas Alforov and Christopher Thomas report that Gemini identified 260,000 Card Present payment cards with a total value of around $25 million USD associated with Pakistani payment card breaches that were posted for sale between October 26, 2018 and February 25, 2019 on Joker’s Stash:

The data posted to Joker’s Stash was divided among five different bases. The original base, “PAKISTAN-WORLD-EU-MIX-01,” was posted on October 26, 2018, and totaled over 10,000 records with a median price of $100 USD. It included only Track 2 Data. The second and third bases, “PAKISTAN-WORLD-EU-MIX-02” and “PAKISTAN-WORLD-EU-MIX-03,” were respectively posted on October 31, 2018 and November 13, 2018, totaling over 190,000 payment records with a median price of $110 USD. They included both Track 1 Data and Track 2 Data. Through a deeper analysis of this data, it appears that the point of compromise was located in Pakistan and had affected non-Pakistani cardholders traveling from various other countries, likely indicating that this data was compromised in highly traveled tourist areas.

The final two bases, “PAKISTAN-D+P-01” and “PAKISTAN-D+P-02,” were respectively posted on January 24 and January 30, 2019, totaling to roughly 57,000 payment records with a median price of $50 USD; they only included Track 2 Data and the records purportedly had PIN information. All of these records were associated with a single Pakistani financial institution: Meezan Bank Ltd.

So now we have both Group 1B and Gemini Advisory pointing to compromise involving Meezan Bank.

Meezan Bank did not respond to earlier reports  or news outlets that had reported on earlier findings. In light of the new Gemini Advisory report that was provided to DataBreaches prior to publication,  DataBreaches.net reached out to Meezan Bank yesterday to ask whether they had confirmed or refuted any compromise of their internal system.  They did not respond by publication deadline.

It is not known whether Meezan Bank has reported any breach or security issue to the State Bank of Pakistan.

This post will be updated if the bank does respond.

About the author: Dissent